Following a series of cyberattacks last week, including an ongoing incident at Stryker, the US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to rapidly strengthen endpoint management systems to protect against Iran-linked hackers and other threats.
On March 11th, Michigan-based Stryker was targeted through its Microsoft Intune endpoint management systems. Microsoft devices were wiped, and data was stolen, causing major disruptions and, in some cases, affecting primary healthcare services.
The Iranian hacktivist group Handala quickly claimed responsibility, saying the attack was retaliation for the ongoing Israeli–US conflict with Iran.
CISA is working with US partners, including the FBI, to identify further threats and risks.
To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune, the agency said in a statement.
CISA also noted that these recommendations apply not only to Intune but also to other endpoint management software.
Organizations should use Intune role-based access controls to ensure users have only the permissions they need for daily tasks. They should also enforce phishing-resistant multi-factor authentication and strong privileged access controls. For sensitive or high-impact actions in Microsoft Intune, access policies should require approval from multiple administrators.
Global Peers
Offering a global perspective, Keven Knight, CEO of Talion, said CISA’s guidance is relevant outside the US. He expects similar alerts from other agencies worldwide. For example, the UK’s National Cyber Security Center (NCSC) has already issued a wider cyber alert related to the Iran conflict.
The Stryker attack was striking because its aim was destruction, not money. There was no ransom or way to recover the data. Backups were unavailable, forcing a complete rebuild.
Given the current geopolitical situation, it’s likely these destructive attacks will occur more frequently. Strengthening endpoints, using least privilege access, making regular backups, and practicing security response plans are all essential steps.
He added that since these attacks target countries, organizations must be ready.
Tip Of The Iceberg
The Stryker attack is the most high-profile case of Iran’s cyber retaliation against the US, occurring two days after progress in nuclear talks. Experts warn this could be just the beginning.
Michael Smith, CTO at DigiCert, has tracked nearly 4,500 threats from 43 active groups, noting that the most recent regional attacks are attempts to intimidate rather than destroy.
Smith noted many attacks go unreported. “We’ve seen BDOS attacks stopped before outages. We also monitor active hacktivist discussions for signs and warnings.”
Smith said these attacks show foreign audiences that geographic boundaries do not limit the reach of threats, reinforcing intimidation.
Adding to this, Kathryn Raines, who leads Flashpoint’s cyber threat intelligence, said cyber activity related to this conflict is now focusing more on disrupting organizations.
She continued: “Groups like Handala are making bigger claims about large-scale attacks.” These include destroying data, exposing sensitive information, and information from private companies and individuals. Even if some claims are hard to verify, they still create uncertainty. This can seriously affect trust, operations, and response efforts.
CISA has identified malicious cyber activity targeting endpoint management systems at US organizations following the March 11, 2020, cyberattack on Stryker Corporation that impacted its Microsoft environment. To help prevent similar incidents, CISA encourages organizations to strengthen their endpoint management system configurations by following the recommendations and resources in this alert. CISA is also working closely with federal partners, including the FBI, to identify additional threats and determine mitigation steps.
To reduce risk from endpoint threats, promptly apply Microsoft’s best practices for Microsoft Intune and other endpoint tools.
- Use Microsoft Intune’s Role-Based Access Control (RBAC) to grant each role only the permissions needed for daily tasks. These permissions define what actions each role can take and which users or devices those actions apply to.
Enforce phishing-resistant multi-factor authentication for all privileged accounts and follow best practices for privileged access.
- Use Microsoft Entra ID features such as conditional access, MFA, risk-based policies, and privileged access policies to prevent unauthorized privileged actions in Intune.
Require multi-admin approval for Microsoft Intune access policies.
- Establish policies requiring secondary administrator approval before executing sensitive or high-impact operations, including device wipes and application deployments.
Source: CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization,Cisa tells US organisations to harden endpoint management after Stryker attack
